Filter
Top Products
7-19
Cisco Intrusion Prevention System CLI Sensor Configuration Guide for IPS 7.1
OL-19892-01
Chapter 7 Configuring Event Action Rules
Configuring Event Action Overrides
• Do not transmit packets on the specified TCP connection.
sensor(config-eve)# overrides deny-connection-inline
sensor(config-eve-ove)#
• Send TCP RST packets to terminate the connection.
sensor(config-eve)# overrides reset-tcp-connection
sensor(config-eve-ove)#
• Request a block of the connection.
sensor(config-eve)# overrides request-block-connection
sensor(config-eve-ove)#
• Request a block of the attacker host.
sensor(config-eve)# overrides request-block-host
sensor(config-eve-ove)#
• Log the packets from the attacker IP address.
sensor(config-eve)# overrides log-attacker-packets
sensor(config-eve-ove)#
• Log the packets from the victim IP address.
sensor(config-eve)# overrides log-victim-packets
sensor(config-eve-ove)#
• Log packets from both the attacker and victim IP addresses.
sensor(config-eve)# overrides log-pair-packets
sensor(config-eve-ove)#
• Write an alert to Event Store.
sensor(config-eve)# overrides produce-alert
sensor(config-eve-ove)#
• Write verbose alerts to Event Store.
sensor(config-eve)# overrides produce-verbose-alert
sensor(config-eve-ove)#
• Write events that request an SNMP trap to the Event Store.
sensor(config-eve)# overrides request-snmp-trap
sensor(config-eve-ove)#
Step 4 Configure the risk rating for this override item. The default risk rating range is 0 to 100. Set it to a
different value, such as 85 to 100.
sensor(config-eve-ove)# risk-rating-range 85-100
Step 5 Enable or disable the use of this override item. The default is enabled.
sensor(config-eve-ove)# override-item-status {enabled | disabled}
Step 6 Verify the settings.
sensor(config-eve-ove)# exit
sensor(config-eve)# show settings
action-to-add: deny-attacker-inline
-----------------------------------------------
override-item-status: Enabled default: Enabled
risk-rating-range: 85-100 default: 0-100